Skip to main content

vtcode_auth/
mcp_oauth.rs

1//! OAuth support for HTTP MCP providers.
2
3use anyhow::{Context, Result, anyhow, bail};
4use base64::Engine;
5use base64::engine::general_purpose::URL_SAFE_NO_PAD;
6use reqwest::{Client, Url};
7use ring::rand::{SecureRandom, SystemRandom};
8use serde::{Deserialize, Serialize};
9use std::collections::BTreeMap;
10
11use crate::credentials::{AuthCredentialsStoreMode, CredentialStorage};
12use crate::pkce::{PkceChallenge, generate_pkce_challenge};
13
14const DEFAULT_CALLBACK_PORT: u16 = 8768;
15const DEFAULT_FLOW_TIMEOUT_SECS: u64 = 300;
16const REFRESH_SKEW_SECS: u64 = 60;
17
18/// Configuration for OAuth-enabled MCP HTTP providers.
19#[derive(Debug, Clone, Serialize, Deserialize)]
20#[cfg_attr(feature = "schema", derive(schemars::JsonSchema))]
21#[serde(default)]
22pub struct McpOAuthConfig {
23    /// OAuth authorization endpoint.
24    pub authorization_url: String,
25    /// OAuth token endpoint.
26    pub token_url: String,
27    /// OAuth client identifier.
28    pub client_id: String,
29    /// Requested scopes.
30    #[serde(default)]
31    pub scopes: Vec<String>,
32    /// Optional audience/resource hint sent with the auth and token requests.
33    #[serde(default)]
34    pub audience: Option<String>,
35    /// Local callback server port.
36    pub callback_port: u16,
37    /// Browser-flow timeout in seconds.
38    pub flow_timeout_secs: u64,
39    /// Credential storage backend for this provider's token.
40    #[serde(default)]
41    pub credentials_store_mode: AuthCredentialsStoreMode,
42    /// Extra query parameters appended to the authorization URL.
43    #[serde(default)]
44    pub extra_auth_params: BTreeMap<String, String>,
45    /// Extra form fields appended to token exchanges and refreshes.
46    #[serde(default)]
47    pub extra_token_params: BTreeMap<String, String>,
48}
49
50impl Default for McpOAuthConfig {
51    fn default() -> Self {
52        Self {
53            authorization_url: String::new(),
54            token_url: String::new(),
55            client_id: String::new(),
56            scopes: Vec::new(),
57            audience: None,
58            callback_port: DEFAULT_CALLBACK_PORT,
59            flow_timeout_secs: DEFAULT_FLOW_TIMEOUT_SECS,
60            credentials_store_mode: AuthCredentialsStoreMode::default(),
61            extra_auth_params: BTreeMap::new(),
62            extra_token_params: BTreeMap::new(),
63        }
64    }
65}
66
67impl McpOAuthConfig {
68    pub fn validate(&self, provider_name: &str) -> Result<()> {
69        if self.authorization_url.trim().is_empty() {
70            bail!("MCP provider '{provider_name}' is missing oauth.authorization_url");
71        }
72        if self.token_url.trim().is_empty() {
73            bail!("MCP provider '{provider_name}' is missing oauth.token_url");
74        }
75        if self.client_id.trim().is_empty() {
76            bail!("MCP provider '{provider_name}' is missing oauth.client_id");
77        }
78        Ok(())
79    }
80
81    fn callback_url(&self) -> String {
82        format!("http://localhost:{}/auth/callback", self.callback_port)
83    }
84}
85
86/// Stored OAuth token for an MCP HTTP provider.
87#[derive(Debug, Clone, Serialize, Deserialize)]
88pub struct McpOAuthToken {
89    pub access_token: String,
90    pub refresh_token: Option<String>,
91    pub token_type: Option<String>,
92    pub scope: Option<String>,
93    pub obtained_at: u64,
94    pub expires_at: Option<u64>,
95}
96
97impl McpOAuthToken {
98    pub fn is_refresh_due(&self) -> bool {
99        self.expires_at
100            .is_some_and(|expires_at| now_secs().saturating_add(REFRESH_SKEW_SECS) >= expires_at)
101    }
102}
103
104/// Status for an MCP provider's stored OAuth token.
105#[derive(Debug, Clone)]
106pub enum McpOAuthStatus {
107    Authenticated {
108        age_seconds: u64,
109        expires_in: Option<u64>,
110    },
111    NotAuthenticated,
112}
113
114/// Prepared browser-login flow for an MCP OAuth provider.
115#[derive(Debug, Clone)]
116pub struct McpOAuthPreparedLogin {
117    pub auth_url: String,
118    pub callback_port: u16,
119    pub timeout_secs: u64,
120    pkce: PkceChallenge,
121    state: String,
122}
123
124impl McpOAuthPreparedLogin {
125    #[must_use]
126    pub fn expected_state(&self) -> &str {
127        &self.state
128    }
129}
130
131/// Completion payload kept intentionally close to Codex app-server.
132#[derive(Debug, Clone, PartialEq, Eq)]
133pub struct McpOAuthLoginCompletion {
134    pub name: String,
135    pub success: bool,
136    pub error: Option<String>,
137}
138
139/// Service for loading, refreshing, and persisting MCP OAuth tokens.
140#[derive(Debug, Clone, Default)]
141pub struct McpOAuthService;
142
143impl McpOAuthService {
144    #[must_use]
145    pub fn new() -> Self {
146        Self
147    }
148
149    pub fn prepare_login(
150        &self,
151        provider_name: &str,
152        config: &McpOAuthConfig,
153    ) -> Result<McpOAuthPreparedLogin> {
154        config.validate(provider_name)?;
155        let pkce = generate_pkce_challenge()?;
156        let state = generate_state()?;
157        let auth_url = build_auth_url(config, &pkce, &state)?;
158        Ok(McpOAuthPreparedLogin {
159            auth_url,
160            callback_port: config.callback_port,
161            timeout_secs: config.flow_timeout_secs,
162            pkce,
163            state,
164        })
165    }
166
167    pub async fn complete_login(
168        &self,
169        provider_name: &str,
170        config: &McpOAuthConfig,
171        prepared: &McpOAuthPreparedLogin,
172        code: &str,
173    ) -> Result<McpOAuthLoginCompletion> {
174        config.validate(provider_name)?;
175        let token = exchange_code_for_token(config, code, &prepared.pkce).await?;
176        save_token(provider_name, &token, config.credentials_store_mode)?;
177        Ok(McpOAuthLoginCompletion {
178            name: provider_name.to_string(),
179            success: true,
180            error: None,
181        })
182    }
183
184    pub fn status(
185        &self,
186        provider_name: &str,
187        storage_mode: AuthCredentialsStoreMode,
188    ) -> Result<McpOAuthStatus> {
189        let Some(token) = load_token(provider_name, storage_mode)? else {
190            return Ok(McpOAuthStatus::NotAuthenticated);
191        };
192        let now = now_secs();
193        Ok(McpOAuthStatus::Authenticated {
194            age_seconds: now.saturating_sub(token.obtained_at),
195            expires_in: token.expires_at.map(|expires_at| expires_at.saturating_sub(now)),
196        })
197    }
198
199    pub fn load_token(
200        &self,
201        provider_name: &str,
202        storage_mode: AuthCredentialsStoreMode,
203    ) -> Result<Option<McpOAuthToken>> {
204        load_token(provider_name, storage_mode)
205    }
206
207    pub async fn resolve_access_token(
208        &self,
209        provider_name: &str,
210        config: &McpOAuthConfig,
211    ) -> Result<Option<String>> {
212        let Some(mut token) = load_token(provider_name, config.credentials_store_mode)? else {
213            return Ok(None);
214        };
215
216        if token.is_refresh_due() {
217            if token.refresh_token.is_some() {
218                token = refresh_token(config, &token).await?;
219                save_token(provider_name, &token, config.credentials_store_mode)?;
220            } else {
221                bail!(
222                    "Stored MCP OAuth token for '{provider_name}' expired and cannot be refreshed. Run `vtcode mcp login {provider_name}` again."
223                );
224            }
225        }
226
227        Ok(Some(token.access_token))
228    }
229
230    pub fn logout(
231        &self,
232        provider_name: &str,
233        storage_mode: AuthCredentialsStoreMode,
234    ) -> Result<McpOAuthLoginCompletion> {
235        clear_token(provider_name, storage_mode)?;
236        Ok(McpOAuthLoginCompletion {
237            name: provider_name.to_string(),
238            success: true,
239            error: None,
240        })
241    }
242}
243
244fn build_auth_url(
245    config: &McpOAuthConfig,
246    challenge: &PkceChallenge,
247    state: &str,
248) -> Result<String> {
249    let mut url =
250        Url::parse(&config.authorization_url).context("invalid oauth.authorization_url")?;
251    {
252        let mut query = url.query_pairs_mut();
253        query.append_pair("response_type", "code");
254        query.append_pair("client_id", &config.client_id);
255        query.append_pair("redirect_uri", &config.callback_url());
256        query.append_pair("code_challenge", &challenge.code_challenge);
257        query.append_pair("code_challenge_method", &challenge.code_challenge_method);
258        query.append_pair("state", state);
259        if !config.scopes.is_empty() {
260            query.append_pair("scope", &config.scopes.join(" "));
261        }
262        if let Some(audience) = config.audience.as_deref()
263            && !audience.trim().is_empty()
264        {
265            query.append_pair("audience", audience);
266        }
267        for (key, value) in &config.extra_auth_params {
268            if !key.trim().is_empty() {
269                query.append_pair(key, value);
270            }
271        }
272    }
273    Ok(url.to_string())
274}
275
276async fn exchange_code_for_token(
277    config: &McpOAuthConfig,
278    code: &str,
279    challenge: &PkceChallenge,
280) -> Result<McpOAuthToken> {
281    let mut form = vec![
282        ("grant_type".to_string(), "authorization_code".to_string()),
283        ("client_id".to_string(), config.client_id.clone()),
284        ("code".to_string(), code.to_string()),
285        ("redirect_uri".to_string(), config.callback_url()),
286        ("code_verifier".to_string(), challenge.code_verifier.to_string()),
287    ];
288    if let Some(audience) = config.audience.as_deref()
289        && !audience.trim().is_empty()
290    {
291        form.push(("audience".to_string(), audience.to_string()));
292    }
293    form.extend(
294        config
295            .extra_token_params
296            .iter()
297            .map(|(key, value)| (key.clone(), value.clone())),
298    );
299    send_token_request(&config.token_url, &form).await
300}
301
302async fn refresh_token(config: &McpOAuthConfig, current: &McpOAuthToken) -> Result<McpOAuthToken> {
303    let refresh_token =
304        current
305            .refresh_token
306            .as_deref()
307            .filter(|value| !value.trim().is_empty())
308            .ok_or_else(|| anyhow!("Stored MCP OAuth token does not include a refresh token"))?;
309    let mut form = vec![
310        ("grant_type".to_string(), "refresh_token".to_string()),
311        ("client_id".to_string(), config.client_id.clone()),
312        ("refresh_token".to_string(), refresh_token.to_string()),
313    ];
314    if let Some(audience) = config.audience.as_deref()
315        && !audience.trim().is_empty()
316    {
317        form.push(("audience".to_string(), audience.to_string()));
318    }
319    form.extend(
320        config
321            .extra_token_params
322            .iter()
323            .map(|(key, value)| (key.clone(), value.clone())),
324    );
325
326    let refreshed = send_token_request(&config.token_url, &form).await?;
327    Ok(McpOAuthToken {
328        refresh_token: refreshed.refresh_token.or_else(|| current.refresh_token.clone()),
329        ..refreshed
330    })
331}
332
333async fn send_token_request(token_url: &str, form: &[(String, String)]) -> Result<McpOAuthToken> {
334    let response = Client::new()
335        .post(token_url)
336        .header("Content-Type", "application/x-www-form-urlencoded")
337        .form(form)
338        .send()
339        .await
340        .with_context(|| format!("failed to send MCP OAuth request to {token_url}"))?;
341    let status = response.status();
342    let body = response.text().await.context("failed to read MCP OAuth response body")?;
343
344    if !status.is_success() {
345        bail!("MCP OAuth request failed (HTTP {status}): {body}");
346    }
347
348    let payload: TokenResponse =
349        serde_json::from_str(&body).context("failed to parse MCP OAuth token response")?;
350    let now = now_secs();
351    Ok(McpOAuthToken {
352        access_token: payload.access_token,
353        refresh_token: payload.refresh_token,
354        token_type: payload.token_type,
355        scope: payload.scope,
356        obtained_at: now,
357        expires_at: payload.expires_in.map(|secs| now.saturating_add(secs)),
358    })
359}
360
361#[derive(Debug, Deserialize)]
362struct TokenResponse {
363    access_token: String,
364    #[serde(default)]
365    refresh_token: Option<String>,
366    #[serde(default)]
367    token_type: Option<String>,
368    #[serde(default)]
369    scope: Option<String>,
370    #[serde(default)]
371    expires_in: Option<u64>,
372}
373
374fn generate_state() -> Result<String> {
375    let mut state_bytes = [0_u8; 32];
376    SystemRandom::new()
377        .fill(&mut state_bytes)
378        .map_err(|_| anyhow!("failed to generate MCP OAuth state"))?;
379    Ok(URL_SAFE_NO_PAD.encode(state_bytes))
380}
381
382fn save_token(
383    provider_name: &str,
384    token: &McpOAuthToken,
385    storage_mode: AuthCredentialsStoreMode,
386) -> Result<()> {
387    let serialized = serde_json::to_string(token).context("failed to serialize MCP OAuth token")?;
388    token_storage(provider_name).store_with_mode(&serialized, storage_mode)
389}
390
391fn load_token(
392    provider_name: &str,
393    storage_mode: AuthCredentialsStoreMode,
394) -> Result<Option<McpOAuthToken>> {
395    let Some(serialized) = token_storage(provider_name).load_with_mode(storage_mode)? else {
396        return Ok(None);
397    };
398    serde_json::from_str(&serialized)
399        .context("failed to parse stored MCP OAuth token")
400        .map(Some)
401}
402
403fn clear_token(provider_name: &str, storage_mode: AuthCredentialsStoreMode) -> Result<()> {
404    token_storage(provider_name).clear_with_mode(storage_mode)
405}
406
407fn token_storage(provider_name: &str) -> CredentialStorage {
408    let normalized_provider = provider_name
409        .chars()
410        .map(|ch| {
411            if ch.is_ascii_alphanumeric() || ch == '-' || ch == '_' {
412                ch
413            } else {
414                '_'
415            }
416        })
417        .collect::<String>();
418    CredentialStorage::new("vtcode", format!("mcp_oauth_{normalized_provider}"))
419}
420
421fn now_secs() -> u64 {
422    std::time::SystemTime::now()
423        .duration_since(std::time::UNIX_EPOCH)
424        .map(|duration| duration.as_secs())
425        .unwrap_or(0)
426}
427
428#[cfg(test)]
429mod tests {
430    use super::*;
431    use assert_fs::TempDir;
432    use serial_test::serial;
433    use std::path::PathBuf;
434
435    struct TestAuthDirGuard {
436        previous: Option<PathBuf>,
437        temp_dir: Option<TempDir>,
438    }
439
440    impl TestAuthDirGuard {
441        fn new() -> Self {
442            let temp_dir = TempDir::new().expect("temp dir");
443            let previous = crate::storage_paths::auth_storage_dir_override_for_tests()
444                .expect("read previous auth dir override");
445            crate::storage_paths::set_auth_storage_dir_override_for_tests(Some(
446                temp_dir.path().to_path_buf(),
447            ))
448            .expect("set auth dir override");
449            Self { previous, temp_dir: Some(temp_dir) }
450        }
451    }
452
453    impl Drop for TestAuthDirGuard {
454        fn drop(&mut self) {
455            crate::storage_paths::set_auth_storage_dir_override_for_tests(self.previous.clone())
456                .expect("restore auth dir override");
457            if let Some(temp_dir) = self.temp_dir.take() {
458                let _ = temp_dir.close();
459            }
460        }
461    }
462
463    fn sample_config() -> McpOAuthConfig {
464        McpOAuthConfig {
465            authorization_url: "https://example.com/oauth/authorize".to_string(),
466            token_url: "https://example.com/oauth/token".to_string(),
467            client_id: "client-123".to_string(),
468            scopes: vec!["mcp:read".to_string(), "mcp:write".to_string()],
469            audience: Some("mcp-api".to_string()),
470            callback_port: 8123,
471            flow_timeout_secs: 120,
472            credentials_store_mode: AuthCredentialsStoreMode::File,
473            extra_auth_params: BTreeMap::from([("prompt".to_string(), "consent".to_string())]),
474            extra_token_params: BTreeMap::new(),
475        }
476    }
477
478    #[test]
479    fn prepare_login_builds_expected_auth_url() {
480        let service = McpOAuthService::new();
481        let prepared = service.prepare_login("demo", &sample_config()).expect("prepare login");
482
483        assert!(prepared.auth_url.contains("response_type=code"));
484        assert!(prepared.auth_url.contains("client_id=client-123"));
485        assert!(prepared.auth_url.contains("scope=mcp%3Aread+mcp%3Awrite"));
486        assert!(prepared.auth_url.contains("audience=mcp-api"));
487        assert!(prepared.auth_url.contains("prompt=consent"));
488        assert!(prepared.auth_url.contains("code_challenge="));
489        assert!(prepared.auth_url.contains("state="));
490        assert_eq!(prepared.callback_port, 8123);
491        assert_eq!(prepared.timeout_secs, 120);
492    }
493
494    #[test]
495    #[serial]
496    fn status_reflects_stored_token() {
497        let _guard = TestAuthDirGuard::new();
498        let service = McpOAuthService::new();
499        let storage_mode = AuthCredentialsStoreMode::File;
500        assert!(matches!(
501            service.status("demo", storage_mode).expect("status"),
502            McpOAuthStatus::NotAuthenticated
503        ));
504
505        save_token(
506            "demo",
507            &McpOAuthToken {
508                access_token: "access".to_string(),
509                refresh_token: Some("refresh".to_string()),
510                token_type: Some("Bearer".to_string()),
511                scope: Some("mcp:read".to_string()),
512                obtained_at: now_secs(),
513                expires_at: Some(now_secs() + 3600),
514            },
515            storage_mode,
516        )
517        .expect("save token");
518
519        let status = service.status("demo", storage_mode).expect("status");
520        assert!(matches!(status, McpOAuthStatus::Authenticated { expires_in: Some(_), .. }));
521    }
522
523    #[test]
524    #[serial]
525    fn logout_clears_stored_token() {
526        let _guard = TestAuthDirGuard::new();
527        let service = McpOAuthService::new();
528        let storage_mode = AuthCredentialsStoreMode::File;
529        save_token(
530            "demo",
531            &McpOAuthToken {
532                access_token: "access".to_string(),
533                refresh_token: None,
534                token_type: Some("Bearer".to_string()),
535                scope: None,
536                obtained_at: now_secs(),
537                expires_at: None,
538            },
539            storage_mode,
540        )
541        .expect("save token");
542
543        service.logout("demo", storage_mode).expect("logout");
544        assert!(load_token("demo", storage_mode).expect("load").is_none());
545    }
546}